General
-
Target
JaffaCakes118_7f90ff9d2dba4edc26a7410a0b557a41
-
Size
12.6MB
-
Sample
250107-3r14jswnck
-
MD5
7f90ff9d2dba4edc26a7410a0b557a41
-
SHA1
b50854f8852d7d6ccdd8a1cb86ab392d7704f716
-
SHA256
5bb6d4452191977be56ad5145aea155685b5e6ea4a019c9ab98e781f4d09dca3
-
SHA512
a1bad2c021a3846d5d191514edbb0dc563d9dd2ce26b095f9e3a7aabe5e566a132eaebefc1cb37587cdcb5c40f87d58e5b9565cd448f2f2109177d1e9dbee6f0
-
SSDEEP
49152:6/m3UeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeD:6
Malware Config
Extracted
tofsee
quadoil.ru
lakeflex.ru
Targets
-
-
Target
JaffaCakes118_7f90ff9d2dba4edc26a7410a0b557a41
-
Size
12.6MB
-
MD5
7f90ff9d2dba4edc26a7410a0b557a41
-
SHA1
b50854f8852d7d6ccdd8a1cb86ab392d7704f716
-
SHA256
5bb6d4452191977be56ad5145aea155685b5e6ea4a019c9ab98e781f4d09dca3
-
SHA512
a1bad2c021a3846d5d191514edbb0dc563d9dd2ce26b095f9e3a7aabe5e566a132eaebefc1cb37587cdcb5c40f87d58e5b9565cd448f2f2109177d1e9dbee6f0
-
SSDEEP
49152:6/m3UeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeD:6
Score10/10-
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
-
Tofsee family
-
Windows security bypass
-
Creates new service(s)
-
Modifies Windows Firewall
-
Sets service image path in registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Impair Defenses
2Disable or Modify System Firewall
1Disable or Modify Tools
1Modify Registry
2